The New Fraud Migrating to Mobile; Transaction Laundering

January 19, 2017

By Ron Teicher, CEO, EverCompliant

Last year, mobile devices accounted for a third of the total payments on ecommerce retail sites during Thanksgiving and Black Friday sales, making it clear that more people than ever are doing their online shopping via their mobile device. In fact, according to Adobe, it’s the first time phone and tablet users spent more than $1 billion during the sales frenzy. Forecasts show that the global ecommerce market will be worth 2.4 trillion U.S. dollars by 2019 and with mobile commerce (mcommerce) part of this growing industry, worldwide mobile payment revenue is expected to surpass 1 trillion U.S. dollars by 2019.

And it’s these numbers that are attracting opportunities for emerchants to profit – through legal and illegal means. One form of ecommerce fraud that has gained popularity in the ecommerce space is called Transaction Laundering (TL), a practice where merchants knowingly or unknowingly use a legitimate website to process payments on behalf of another business. These payments are often used for illegal activities including the sale of counterfeit goods, drugs, pornography, or forbidden pharmaceuticals.

In essence, TL is a type of money laundering that takes place on the Internet. Whereas traditional money launderers use physical (brick and mortar) shops as fronts for illegal businesses, Transaction Launderers execute the equivalent online. And with the absence of a physical presence, it’s a lot harder for financial authorities, such as MSPS, to spot criminal activity and catch the crooks.

Consequently, there is little motivation for the Transaction Launderers to stop. And it’s even harder to hinder them on mobile. That’s because few financial organizations have access to the technology needed to detect or prevent such criminal activities in the mobile world. Such technology needs to monitor the increasingly complex labyrinth of multiple operating systems, platforms and in-app offers. Android and iOS, for example, are the most popular operating systems. Android phone manufacturers, however, heavily customize the OS, by adding an additional layer on top of the Google baseline. Furthermore, there are at least two major and an additional six minor phone Operating Systems in use today. To add to that, as opposed to websites that use standard technologies including HTML and JavaScript, mobile apps lack a standard markup language for deciphering texts and images. Mobile screens are rendered, making them much more difficult to analyze than on Web.

And then there are the app stores: MSPs trust stores such as Google Play and Apple, and may not see a reason to suspect any suspicious content if they focus only on official shops. However, Transaction Launderers can direct their consumers to download apps from different, smaller stores. And even the major stores are not bullet proof — when the customers purchase their items, they may be routed to the payment page of an online website through the browser, for example. Such apps would not be detected by the stores as processing payments. Fraudsters have learned to take advantage of these difficulties and avert traditional monitoring techniques.

Difficult or not, acquiring banks and payment processors are responsible for TL violations, and the consequences for committing these violations are bleak: fines, sanctions, and even reputation damage. To avoid these consequences, banks and payment processors must seek more efficient ways of detecting and preventing TL in their merchant portfolios; including TL detection for mobile.

Credit card brands are aware of these mobile-related risks. As early as May 2016, MasterCard warned about watching out for products and services on mobile applications. They consider mobile apps to be increasingly relevant and prevalent and realize that they may need to be monitored just like merchants’ websites. They have also warned that Transaction Launderers may use mobile sites to circumvent their rules.

Today, with thousands of new apps being uploaded worldwide, it has become impossible to ignore mobile. MasterCard’s foresight has proved to be true. I’ve come across a few cases where TL was detected on mobile applications rather than on their corresponding websites. In one example, there was a registered website claiming to offer dating services. When performing a scan on this website, a number of unreported mobile applications were detected all offering adult content and prostitution. We then discovered while performing a test transaction that the merchant was processing the payments through the dating services website.

This example demonstrates that acquiring banks and payment processors must take an approach that considers the unique challenges of mobile commerce. Using cyber intelligence, they can detect unreported mobile apps and sites. Criminals, for example, who register a site or an app, may create another site or app that they will not register, at a later period. Monitoring merchants on an ongoing basis is critical for the prevention of TL. By using advanced cyber intelligence techniques, banks and payment processors can uncover any hidden illicit activity. With ongoing monitoring, maintaining the same scrutiny as they did during onboarding process, MSPs will be better equipped to detect TL on mobile apps, or anywhere in their merchant portfolios.